Credit and debit cards are the preferred payment method of 77% of US consumers, which is why most businesses selling consumer products and services accept them.
It’s easy for a company to get set up to accept cards with a merchant processor, for example it takes just a few minutes on services like Stripe or Square. But one responsibility that comes along with accepting those debit and credit cards that newer companies may not know about is PCI Compliance.
PCI Compliance refers to requirements set by the major credit card issuers (Visa, MasterCard, American Express, and more) for the security of how credit and debit card numbers are accepted, stored, and transmitted. PCI, also referred to as PCI DSS, is an acronym for the Payment Card Industry Data Security Standard.
You may think if you sign up for a merchant account, they handle all that “security stuff,” right? Not always. And while many popular payment processors are PCI compliant, there are still some requirements that fall upon the company accepting the cards and that they need to know about, especially if they’re victims of a data breach.
50% of small businesses have had a data breach in the past year. (PCI Security Standards Council)
Connect2Geek helps businesses in Boise and Nampa, Idaho ensure their networks are completely secure, and many times we’ll run into those that are unknowingly out of compliance with PCI (which could mean fines!). We get them back on track with our managed security services which include assistance with PCI compliance.
So, what are some of the things you need to know about being compliant with PCI when processing credit and debit cards? We’ve got five important insights about this security standard that you need to know to avoid penalties in the future.
What Important Things Should I Know About PCI Compliance?
The basics of PCI Compliance are to handle customers’ credit card data securely and responsibly. But then it gets much more complicated.
PCI standards cover everything from encryption of your network, to software lifecycle standards, to how you should handle and report a data breach to customers.
Our awesome Connect2Geek 24/7 Security Team has pulled out some of the most important things you should know about this standard if you accept credit or debit cards at your company.
There are Four Company Levels to PCI Requirements
Requirements and penalties slightly differ depending upon how many transactions you handle per year or whether you’ve had a breach that compromised cardholder data.
Level 1:
You’re in this level if you:
- Process over 6 million transactions per year
- You’ve had a breach that compromised account data
- You’ve been identified as such by any card association
Requirements:
- Annual Report on Compliance by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance form
Level 2:
You’re in this level if you:
- Process between 1 – 6 million transactions per year
Requirements:
- Complete PCI DSS Self-Assessment Questionnaire
- Provide evidence of passing vulnerability scan with Approved Scanning Vendor (ASV)
- Attestation of Compliance form
- Submit any other needed paperwork to your acquirer
Level 3:
You’re in this level if you:
- Process over 20,000 – 1 million e-commerce transactions per year
Requirements:
- Same requirements as Level 2
Level 4:
You’re in this level if you:
- Process less than 20,000 million e-commerce transactions and/or up to 1 million non-ecommerce transactions per year
Requirements:
- Same as Level 2
You’re Required to Ensure Compliance for any of Your 3rd Party Vendors
When you sign up with a payment processor online in order to accept credit cards, you might think the onus is all on them for PCI compliance, but it’s not. As the merchant that accepts a customer’s credit card, you’re responsible to ensure any 3rd party vendors you work with are PCI compliant. So be sure to check this out before you trust them to process your clients’ payment details.
Multi-Factor Authentication is Required for Remote Access
When a non-administrator is logging into your system remotely to process a credit or debit card, PCI standards require you’re using multi-factor authentication. This is because approximately 81% of hacking-related data breaches involve stolen or weak passwords.
Multi-factor authentication requires an additional step to gain access to an application, which is typically a code that is texted to a known secure device and must be used to login within a certain time period (like 5 minutes).
PCI DSS Requirements are Always Evolving
Just like IT security is never static, PCI is the same. They often update their standards in response to any new security threats or trends in IT security happening around the world that impact credit and debit card processing. In fact, at the time of this blog, their newest standards for secure software were released in January 2019.
There Can be Stiff Penalties for PCI Non-Compliance
If your business mishandles customer credit card data, has a data breach, or otherwise is found to be out of compliance with PCI, you can be fined or even lose your ability to process debit and credit cards.
Credit card brands can fine your acquiring bank from $5,000 to $100,000 per month. Banks then often pass those costs onto the company directly, by raising their fees, or by cutting them off completely from accepting card payments.
Get a Handle on Credit Card Security Requirements with Connect2Geek!
Being in compliance with PCI can seem daunting and expensive, but it doesn’t have to be when you have the right IT partner on your side! We have extensive experience helping clients with their credit and debit card processing security and ensuring they stay in compliance with industry standards.
Give us a call anytime to chat about PCI and IT security at 208-468-4323.